Closed
Bug 291640
(CVE-2023-37203)
Opened 20 years ago
Closed 1 year ago
Drag and drop can create shortcuts to local files
Categories
(Core :: DOM: Copy & Paste and Drag & Drop, defect)
Tracking
()
RESOLVED
FIXED
115 Branch
People
(Reporter: pvnick, Assigned: Gijs)
References
()
Details
(Keywords: sec-moderate, Whiteboard: [sg:moderate][adv-main115+] high with cooperation from the victim)
Attachments
(3 files, 3 obsolete files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
In the page javascript:'Drag this broken image to the desktop:<img
src="C:/windows/system32/cmd.exe">', dragging the broken image to the desktop
will create a shortcut to cmd.exe, which, when opened, will spawn cmd.exe
Reproducible: Always
Steps to Reproduce:
1.javascript:'Drag this broken image to the desktop:<img
src="C:/windows/system32/cmd.exe">'
2. drag broken image to desktop
3. double click new icon on desktop
Actual Results:
cmd.exe opened
Expected Results:
executable files shouldnt be draggable
ok, this one is real, and i can make it more dangerous pre sp2.
however, it's all limited to the 1.0 branch, i had someone test for me on trunk
and none of the cases i provided worked.
Version: unspecified → 1.0 Branch
|
||
Comment 2•20 years ago
|
||
Confirming on 1.0.3. In XPSP2, dragging to the desktop prompts me to add it as
an Active Desktop item, but dragging it to a folder creates a .url shortcut,
which will launch the application when double clicked. In SP2 this has a
security prompt before it actually launches.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 3•20 years ago
|
||
Is there a way to influence the name of the link? If it looks like <blah>cmd.exe
it's kind of on the user if they click it. You're not dragging the exe itself,
just a shortcut. Is there a way to pass parameters? That would certainly make
this more dangerous.
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.0.4?
|
|
||
Updated•20 years ago
|
Assignee: bugs → dveditz
Flags: blocking1.8b3+
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.5?
Flags: blocking-aviary1.0.5+
Product: Firefox → Core
Whiteboard: [sg:fix]
|
||
Comment 5•20 years ago
|
||
Not going to make the 1.0.5 train, but need to look into this for future 1.0.x
release.
|
|
||
Comment 6•20 years ago
|
||
-'d per drivers meeting
Flags: blocking-aviary1.0.5+ → blocking-aviary1.0.5-
|
|
||
Updated•20 years ago
|
Flags: blocking-aviary1.0.6+
|
||
Updated•20 years ago
|
Flags: blocking1.8b4+
Flags: blocking1.8b3-
Flags: blocking1.8b3+
|
||
Comment 7•20 years ago
|
||
would be nice to fix, not critical for aviary1.5 (dveditz)
/cb
Flags: blocking1.8b4-
Flags: blocking1.8b4+
Flags: blocking-aviary1.5-
Flags: blocking-aviary1.5+
Flags: blocking-aviary1.0.7-
Flags: blocking-aviary1.0.7+
|
||
Updated•18 years ago
|
QA Contact: ali → ian
|
||
Comment 8•18 years ago
|
||
Did the patch in bug 285438 take care of this bug?
Whiteboard: [sg:fix] → [sg:moderate] critical with cooperation from the victim
|
|
||
Updated•16 years ago
|
Version: 1.0 Branch → 1.7 Branch
|
||
Comment 10•13 years ago
|
||
I just tested this using Windows 7 and the latest trunk nightly and this appears to still be a problem. Dragging the test icon to the desktop creates a shortcut to the executable that will execute without any prompts.
I don't know enough about security expectations with this sort of thing to know how big of a problem this is.
|
||
Comment 11•13 years ago
|
||
This is only really a problem in combination with file-planting attacks or other things. But in any case we should fix it, probably doing a checkLoadURIWithPrincipal to see whether the website is allowed to link to that thing.
|
||
Comment 13•13 years ago
|
||
This patch does the basic implementation. There are two issues I am not sure how to deal with:
- the test displays a 'grant privileges dialog'.
- test testcase in the first comment uses a file path not a url.
But this patch is a suitable starting point.
|
|
||
Comment 14•13 years ago
|
||
Attachment #603406 -
Attachment is obsolete: true
|
|
||
Comment 15•13 years ago
|
||
Comment on attachment 612661 [details] [diff] [review]
Patch version 2, fix up test
Not sure entirely about this patch as it doesn't fix the reported issue. Wondering if it would be better to have the platform-specific widget layer reject creating links to local files somehow.
Attachment #612661 -
Flags: feedback?(bugs)
|
||
Comment 16•13 years ago
|
||
Why would it have to be platform-specific?
Couldn't we whitelist the allowed schemes, or at least blacklist javascript: ?
|
|
||
Comment 17•13 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #16)
> Why would it have to be platform-specific?
> Couldn't we whitelist the allowed schemes, or at least blacklist javascript:
> ?
'javascript:' isn't used here.
The bug here is in preventing:
event.dataTransfer.setData("text/x-moz-url-data", "c:/builds/");
which isn't actually a URL and Windows translates it in some manner when creating a shortcut.
|
||
Updated•13 years ago
|
Keywords: sec-moderate
|
|
||
Comment 18•13 years ago
|
||
Comment on attachment 612661 [details] [diff] [review]
Patch version 2, fix up test
Ah, ok. Sounds like widget layer fix is needed.
Attachment #612661 -
Flags: feedback?(bugs)
|
||
Updated•9 years ago
|
Group: core-security → dom-core-security
|
|
||
Updated•9 years ago
|
Assignee: enndeakin → nobody
|
|
||
Updated•8 years ago
|
Group: dom-core-security → firefox-core-security
Product: Core → Firefox
|
||
Updated•2 years ago
|
QA Contact: ian
|
||
Comment 19•2 years ago
|
||
In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.
Severity: major → --
|
Assignee | |
Updated•1 year ago
|
Assignee: nobody → gijskruitbosch+bugs
|
|
Assignee | |
Comment 21•1 year ago
|
||
|
|
Assignee | |
Updated•1 year ago
|
Group: firefox-core-security → dom-core-security
Component: File Handling → DOM: Copy & Paste and Drag & Drop
OS: Windows XP → All
Product: Firefox → Core
Hardware: x86 → Desktop
|
|
Assignee | |
Comment 22•1 year ago
|
||
Filed bug 1832266 for tests.
|
|
||
Comment 23•1 year ago
|
||
r=emilio
https://hg.mozilla.org/integration/autoland/rev/c8f66e4894442df742c8b2b29be26a2937c193be
https://hg.mozilla.org/mozilla-central/rev/c8f66e489444
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox115:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch
|
||
Updated•1 year ago
|
Attachment #612661 -
Attachment is obsolete: true
|
|
||
Updated•1 year ago
|
status-firefox113:
--- → wontfix
status-firefox114:
--- → wontfix
status-firefox-esr102:
--- → wontfix
|
|
||
Updated•1 year ago
|
Severity: -- → S2
|
|
Assignee | |
Comment 24•1 year ago
|
||
This fix works for file: but appears to be incomplete for c:/ links.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Updated•1 year ago
|
Group: core-security-release → dom-core-security
|
|
Assignee | |
Comment 25•1 year ago
|
||
Hm, so the reason I didn't catch this originally is that it seems that we are more strict than Windows in how we parse Windows paths into URLs. Specifically, a link that points to: C:\Users gets transformed to file:///C:/Users (and blocked, on current nightly already) but a link to C:/Users does not. This causes problems when we then pass this information to Windows and it does then interpret the target as a file path.
The simplest fix is to change the URI fixup parser to also recognize this syntax as a file URI, here. It's worth noting that just setting attemptFixup to true in that case is insufficient: our Windows path parsing code will fail to initialize the file when the path is made up of forward slashes instead of backslashes.
I have a patch for this. It passes urlbar and docshell urifixup unit tests without changes... in principle it shouldn't end up impacting any web content because we'd primarily use nsIURI for security checks and navigation, rather than fixup. I think fixing up C:/Users/ in the URL bar to file:///C:/Users/ (instead of a search query with the default search provider) is probably a net win, but if we think that may be in doubt we could put it behind a fixup flag and/or pref.
|
|
Assignee | |
Comment 26•1 year ago
|
||
|
|
||
Comment 27•1 year ago
|
||
r=mak
https://hg.mozilla.org/integration/autoland/rev/d5620d8eb2090ec5a6024d64684b005429066c5c
https://hg.mozilla.org/mozilla-central/rev/d5620d8eb209
Group: dom-core-security → core-security-release
Status: REOPENED → RESOLVED
Closed: 1 year ago → 1 year ago
Resolution: --- → FIXED
|
||
Updated•1 year ago
|
Whiteboard: [sg:moderate] critical with cooperation from the victim → [sg:moderate][adv-main115+] critical with cooperation from the victim
|
|
||
Comment 28•1 year ago
|
||
|
|
||
Comment 29•1 year ago
|
||
Attachment #9341326 -
Attachment is obsolete: true
|
||
Updated•1 year ago
|
Alias: CVE-2023-37203
|
|
||
Updated•1 year ago
|
Whiteboard: [sg:moderate][adv-main115+] critical with cooperation from the victim → [sg:moderate][adv-main115+] high with cooperation from the victim
|
|
||
Updated•1 year ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•